Last week, the New York Times reported that Euclid Analytics “uses the Wi-Fi antennas inside stores to see how many people are coming into a store, how long they stay and even which aisles they walk. It does this by noting each smartphone that comes near the store, feeding on every signal ping the phone sends.” This tracking of consumers raises privacy questions, and Sen. Al Franken (D-Minn.) is seeking answers. Franken, chairman of the subcommittee on Privacy, Technology and the Law of the Senate Judiciary Committee, has sent a letter to Euclid asking about the data collection, which is opt-out for individuals — meaning they have to go the Euclid’s site and enter their phone’s MAC address to tell the company not to surreptitiously track them. (If you have an iPhone, go to Settings –> General –> About and your MAC address is what’s next to Wi-Fi Address. The Euclid opt-out page has instructions for iPhones and Android, Blackberry and Windows Mobile phones.)
I am writing to request information about Euclid, Inc.’s use of consumer tracking technology. As I understand it, your company’s technology can track consumers as they walk past a store, enter a store, or move between its floors by tracking a permanent and unique hardware number transmitted by those consumers’ smartphones. This tracking occurs on an opt-out basis: unless someone visits your website and enters her information, Euclid’s technology will track her. Recent news reports suggest that Euclid’s technology has tracked 50 million unique smartphones or other WiFi-enabled devices. All of this would suggest that the movements of millions of Americans have been tracked in your clients’ stores without those consumers’ permission. I find this troubling.
It’s clear that your company has taken concrete steps to protect consumers’ privacy, such as “hashing” the unique identifiers you collect from consumers’ smartphones and only disclosing aggregate consumer data to your clients. I applaud these efforts. At the same time, I think that Americans have a fundamental right to not be tracked without their consent – especially in the real, “offline” world where they are less likely to expect it. I also have serious concerns about how Euclid will use, share, and protect the data that it collects from users in this manner.
Franken seeks answers to the questions below, among others, by April 1.
- Exactly how many unique smartphones has Euclid tracked in its clients’ stores?
- In what cities and states does Euclid track consumers’ smartphones?
- Euclid’s online Privacy Statement says that its technology would enable it to tell a client whether “more people usually tend to grab a coffee or an ice cream after going to the dentist[.]” I understand that Euclid’s technology is not being used in any medical facilities or pharmacies. Is that correct? If so, will Euclid pledge that it will never deploy its technology in or near any medical facilities or pharmacies in the future?
- What mechanisms does Euclid have in place to monitor and identify breaches of consumer data?
- Has Euclid’s consumer data ever been breached?
- If a law enforcement agency or a company told Euclid the MAC address for someone’s smartphone and asked what stores the owner of that smartphone had previously walked past or visited, would Euclid be able to answer that question?
- Will Euclid require law enforcement to obtain a warrant before disclosing a particular consumer’s location records?
- Does Euclid have any plans to sell, rent or disclose any of its consumer data to data brokers or any other third parties?